CN114630327A

CN114630327A - Method and equipment for protecting integrity of data packet

Info

Publication number: CN114630327A
Application number: CN202011457763.0A
Authority: CN
Inventors: 齐旻鹏; 徐晓东
Original assignee: China Mobile Communications Group Co Ltd; China Mobile Communications Ltd Research Institute
Current assignee: China Mobile Communications Group Co Ltd; China Mobile Communications Ltd Research Institute
Priority date: 2020-12-11
Filing date: 2020-12-11
Publication date: 2022-06-14

Abstract

A method and device for protecting data packet integrity, the method includes: the method comprises the steps that first equipment groups data packets to be transmitted to obtain at least one group; according to the grouping, carrying out integrity protection on target data packets in the grouping to generate integrity check information, wherein the number n of the target data packets is less than or equal to the total number m of the data packets in the grouping; and sending the data packet and the integrity check information to a second device. Compared with the prior art, the method and the device for protecting the integrity of the data packets provided by the embodiment of the invention have the advantages that a plurality of data packets are regarded as a whole to provide partial integrity protection, so that the user data packets are protected with probability under the condition of meeting the performance requirement.

Description

Method and equipment for protecting integrity of data packet

Technical Field

The invention relates to the technical field of mobile communication, in particular to a method and equipment for protecting the integrity of a data packet.

Background

In a mobile communication network, there are three main types of protection for data packets, namely confidentiality protection, integrity protection and anti-replay protection. The confidentiality protection mainly solves the problem of leakage of the data packet content, the integrity protection mainly solves the problem of tampering or direct counterfeiting of the data packet content, and the anti-replay protection mainly solves the problem of replaying the data packet after being cached on the basis of integrity protection.

For a mobile communication network, due to the instability of an air interface, there is a situation that data packets are distorted or even lost during the transmission process of the air interface, and applying integrity protection will cause the packets to be discarded or retransmitted, which will affect real-time (especially voice) services to a greater extent, causing a call interruption feeling, and affecting the user experience. In contrast, for voice-like services, packet distortion may result in degraded call quality but not in call termination. Therefore, in the conventional 2/3/4G network, integrity protection is only provided for air interface user signaling, and integrity protection is not provided for user air interface data packets, that is, the transmission requirement of real-time performance is guaranteed at the cost of tolerating the modification of the data packets. But in the 5G era, since the mobile communication network will be integrated with the industry vertical, the internet of things, etc. in a larger scale. And the vertical industry and the communication of the internet of things contain a large amount of control messages, such as starting equipment, adjusting parameters and the like, and the tolerance of the control messages to the distortion, illegal tampering and even counterfeiting of data packets is lower. Therefore, integrity protection for user data packets is introduced in 5G.

Currently, the prior art explicitly defines that the integrity of a user data packet will use the same algorithm as the Radio Resource Control (RRC) signaling integrity protection, as shown in fig. 1 and fig. 2, at a sending end, for each data packet (MESSAGE), a parameter related to the data packet, such as a direct uplink (direct), a Counter (COUNT), a BEARER identifier (BEARER), and a corresponding integrity KEY (KEY), is combined, and a parameter (MAC-I) for integrity check is generated and attached to the back of the data packet (MESSAGE) and sent to an opposite end (receiving end). As shown in fig. 1 and fig. 3, at the receiving end, the information to be checked (XMAC-I) is generated in the same way, and then compared with the MAC-I, and the same comparison is regarded as successful integrity check.

Due to limitations in device capabilities, particularly terminal device capabilities, as in 5G systems, it is currently only possible to achieve mandatory integrity protection for low rate traffic packets (no greater than 64Kbps), while it is difficult to provide integrity protection for full rate packet traffic.

Disclosure of Invention

At least one embodiment of the invention provides a method, a terminal and a network device for protecting the integrity of a data packet, which improve the efficiency of integrity protection.

According to an aspect of the invention, at least one embodiment provides a method for protecting integrity of data packets, comprising:

the method comprises the steps that first equipment groups data packets to be transmitted to obtain at least one group;

according to the grouping, carrying out integrity protection on target data packets in the grouping to generate integrity check information, wherein the number n of the target data packets is less than or equal to the total number m of the data packets in the grouping;

and sending the data packet and the integrity check information to a second device.

Furthermore, according to at least one embodiment of the present invention, the integrity protecting the target data packet in the packet according to the packet includes:

selecting n data packets from the group as target data packets, and determining the data packets covered by the integrity protection of each target data packet, wherein the union of the data packets covered by the integrity protection of all the target data packets is all the data packets in the group;

aiming at the target data packet, generating a first sequence number according to the sequence number of the data packet covered by the integrity protection of the target data packet;

and generating integrity check information corresponding to the target data packet by using a preset parameter and an integrity key, and attaching the integrity check information to the end of the target data packet, wherein the preset parameter at least comprises the first sequence number.

Furthermore, in accordance with at least one embodiment of the present invention, the selecting n packets from the packet as target packets includes:

randomly selecting n data packets from the grouping as target data packets according to a random selection mode;

alternatively, the first and second liquid crystal display panels may be,

and selecting n data packets at preset positions from the grouping as the target data packets according to a fixed position selection mode.

Furthermore, in accordance with at least one embodiment of the present invention, the manner in which the destination packets are selected from the various packets is independent of each other.

Furthermore, according to at least one embodiment of the present invention, the determining the data packet covered by the integrity protection of each target data packet includes any one of the following determining manners:

an average determination mode: dividing the data packets in the packet into n segments according to a preset data packet interval L; according to the corresponding relation between the segments and the target data packets, taking all the data packets in each segment as the data packets covered by the integrity protection of the corresponding target data packets, wherein L is an integer value for rounding m/n downwards;

the total quantity determination mode is as follows: taking all data packets in the group where the target data packet is located as data packets covered by the integrity protection of the target data packet;

a random determination mode: and randomly selecting at least one data packet from the group as the data packet covered by the target data packet integrity protection.

Further, according to at least one embodiment of the present invention, when a packet within the packet is divided into n segments at a preset packet interval L, if m cannot be divided by n, the remaining packets are accommodated in the existing segments.

Furthermore, according to at least one embodiment of the present invention, when at least one data packet is randomly selected from the packets as a data packet covered by the target data packet integrity protection, the method further includes:

and cascading the sequence number of the randomly selected data packet with the target data packet to obtain the updated target data packet.

Further, in accordance with at least one embodiment of the present invention, there is also provided:

and negotiating with the second equipment, determining the values of m and n, and determining the mode of the data packet covered by the integrity protection of each target data packet.

Furthermore, according to at least one embodiment of the present invention, the first sequence number is obtained by performing an exclusive or calculation on sequence numbers of the data packets covered by the target data packet integrity protection.

According to another aspect of the present invention, at least one embodiment provides a method for protecting integrity of a data packet, including:

the second equipment receives the data packet sent by the first equipment and the integrity check information of the data packet;

grouping the received data packets, wherein a target data packet in each group has corresponding integrity check information, and the number n of the target data packets is less than or equal to the total number m of the data packets in the group;

and carrying out integrity check on the target data packet in the packet to obtain an integrity check result of each packet.

Furthermore, according to at least one embodiment of the present invention, the performing integrity check on the target data packet in the packet includes:

determining target data packets in the group, and determining data packets covered by the integrity protection of each target data packet, wherein the union of the data packets covered by the integrity protection of all the target data packets is all the data packets in the group;

generating information to be checked corresponding to the target data packet by using preset parameters and an integrity key, wherein the preset parameters at least comprise the first serial number;

and comparing the information to be verified corresponding to the target data packet with the integrity verification information corresponding to the target data packet to obtain an integrity verification result of the target data packet, wherein the integrity verification information corresponding to the target data packet is attached to the end of the target data packet.

Furthermore, in accordance with at least one embodiment of the present invention, the obtaining the integrity check result of each packet includes:

when the integrity check results of all target data packets in the group are passed, obtaining the check result that the integrity check of the group is passed, otherwise, judging the check result that the integrity check of the group fails;

alternatively, the first and second electrodes may be,

and when the integrity check result of each target data packet passes, obtaining the check result that the integrity check of all the data packets covered by the integrity protection of the target data packet passes, otherwise, obtaining the check result that the integrity check of all the data packets covered by the integrity protection of the target data packet fails.

Further, in accordance with at least one embodiment of the present invention, the destination packet is:

n data packets randomly selected from the group;

alternatively, the first and second electrodes may be,

n data packets at predetermined positions in the packet.

Furthermore, in accordance with at least one embodiment of the present invention, the manner in which the destination packets are selected in each packet is independent of each other.

Furthermore, according to at least one embodiment of the present invention, the determining the data packet covered by the target data packet integrity protection includes any one of the following determination methods:

an average determination mode: dividing the data packets in the packet into n segments according to a preset data packet interval L; determining all data packets in each segment as data packets covered by the integrity protection of the corresponding target data packet according to the corresponding relation between the segments and the target data packet, wherein L is an integer value for rounding down m/n;

the total quantity determination mode is as follows: determining all data packets in the group where the target data packet is located as the data packets covered by the integrity protection of the target data packet;

a random determination mode: and acquiring a serial number of a data packet cascaded with the target data packet, and determining the data packet covered by the integrity protection of the target data packet according to the acquired serial number.

Further, according to at least one embodiment of the present invention, further comprising:

and negotiating with the first equipment, determining the values of m and n, and determining the mode of the data packet covered by the integrity protection of each target data packet.

According to another aspect of the present invention, at least one embodiment provides a first apparatus comprising:

the grouping module is used for grouping the data packets to be transmitted to obtain at least one group;

the protection module is used for carrying out integrity protection on target data packets in the packets according to the packets to generate integrity check information, wherein the number n of the target data packets is less than or equal to the total number m of the data packets in the packets;

and the sending module is used for sending the data packet and the integrity check information to second equipment.

According to another aspect of the invention, at least one embodiment provides a first device comprising a transceiver and a processor, wherein,

the processor is used for grouping the data packets to be transmitted to obtain at least one group; according to the grouping, carrying out integrity protection on target data packets in the grouping to generate integrity check information, wherein the number n of the target data packets is less than or equal to the total number m of the data packets in the grouping;

the transceiver is configured to send the data packet and the integrity check information to a second device.

According to another aspect of the present invention, at least one embodiment provides a first apparatus comprising: a processor, a memory and a program stored on the memory and executable on the processor, which when executed by the processor implements the steps of the method as described above.

According to another aspect of the present invention, at least one embodiment provides a second apparatus comprising:

the receiving module is used for receiving the data packet sent by the first equipment and the integrity check information of the data packet;

the grouping module is used for grouping the received data packets, wherein a target data packet in each group has corresponding integrity check information, and the number n of the target data packets is less than or equal to the total number m of the data packets in the group;

and the checking module is used for carrying out integrity checking on the target data packet in the group to obtain the integrity checking result of each group.

In accordance with another aspect of the present invention, at least one embodiment provides a second device comprising a transceiver and a processor, wherein,

the transceiver is used for receiving a data packet sent by the first equipment and integrity check information of the data packet;

the processor is used for grouping the received data packets, wherein a target data packet in each group has corresponding integrity check information, and the number n of the target data packets is less than or equal to the total number m of the data packets in the group; and carrying out integrity check on the target data packet in the packet to obtain an integrity check result of each packet.

According to another aspect of the present invention, at least one embodiment provides a second apparatus characterized by comprising: a processor, a memory and a program stored on the memory and executable on the processor, which when executed by the processor implements the steps of the method as described above.

According to another aspect of the invention, at least one embodiment provides a computer readable storage medium having a program stored thereon, which when executed by a processor, performs the steps of the method as described above.

Compared with the prior art, the method and the device for protecting the integrity of the data packets provided by the embodiment of the invention have the advantages that a plurality of data packets are regarded as a whole to provide partial integrity protection, so that the user data packets are protected with probability under the condition of meeting the performance requirement.

Drawings

Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:

fig. 1 is a schematic diagram illustrating integrity protection of a data packet at a transmitting end and a receiving end in the prior art;

fig. 2 is a schematic diagram illustrating an integrity protection operation performed on a data packet at a sending end in the prior art;

fig. 3 is a schematic diagram illustrating an integrity protection check operation performed on a data packet at a receiving end in the prior art;

FIG. 4 is a flow chart of a method for packet integrity protection according to an embodiment of the present invention;

fig. 5 is a schematic diagram illustrating an integrity protection operation performed on a data packet at a sending end according to an embodiment of the present invention;

fig. 6 is a schematic diagram illustrating a negotiation between a transmitting end and a receiving end according to an embodiment of the present invention;

FIG. 7 is another flow chart of a method for packet integrity protection according to an embodiment of the present invention;

fig. 8 is a schematic diagram illustrating integrity protection verification of a data packet at a receiving end according to an embodiment of the present invention;

fig. 9 is a schematic structural diagram of a first apparatus according to an embodiment of the present invention;

fig. 10 is another schematic structural diagram of the first apparatus according to the embodiment of the present invention;

fig. 11 is a schematic structural diagram of a second apparatus according to an embodiment of the present invention;

fig. 12 is another schematic structural diagram of the second apparatus according to the embodiment of the present invention.

Detailed Description

Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.

The terms first, second and the like in the description and in the claims of the present application are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are, for example, capable of operation in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. In the description and in the claims "and/or" means at least one of the connected objects.

The following description provides examples and does not limit the scope, applicability, or configuration set forth in the claims. Changes may be made in the function and arrangement of elements discussed without departing from the spirit and scope of the disclosure. Various examples may omit, substitute, or add various procedures or components as appropriate. For example, the described methods may be performed in an order different than described, and various steps may be added, omitted, or combined. In addition, features described with reference to certain examples may be combined in other examples.

Referring to fig. 4, a method for protecting integrity of a data packet according to an embodiment of the present invention is applied to a first device, and specifically, the first device may be a sending end device. The first device may also be either a sending end device or a receiving end device, allowing for bidirectional transmission of data. As shown in fig. 4, the method for protecting the integrity of the data packet includes:

step 41, the first device groups the data packets to be transmitted to obtain at least one group.

Here, when sending a data packet to the second device, the first device groups the data packets to be transmitted, and may specifically group the data packets according to a preset packet size, where the packet size may be represented by the number of data packets included in the packet. This may result in most packets having the same number of packets. Of course, the embodiment of the present invention may also adopt a dynamic packet size, where the packet size may be dynamically adjusted according to the rate of the received data packet, and generally, the packet size is positively correlated with the rate of the data packet, that is, the larger the rate of the data packet is, the more the number of data packets included in the packet is, and conversely, the smaller the rate of the data packet is, the smaller the number of data packets included in the packet is. In the above manner, one or more packets may be obtained, and one packet may include one or more data packets. Fig. 5 shows an example of grouping packets according to a packet size m, where packets Message _1 to Message _ m are the first packet, packets Message _ m +1 to Message _2m are the second packet, and so on, to obtain a plurality of packets.

And 42, performing integrity protection on target data packets in the packets according to the packets to generate integrity check information, wherein the number n of the target data packets is less than or equal to the total number m of the data packets in the packets.

Here, when integrity protection is performed, the embodiment of the present invention is performed based on a packet, so that a method of performing integrity protection based on each data packet in the prior art is changed, and therefore, when a packet includes a plurality of data packets, the embodiment of the present invention can reduce a calculation load of integrity protection, and improve efficiency of data integrity protection. When integrity protection is performed on a packet, all or part of data packets in the packet may be protected, and these data packets subjected to the integrity protection operation are referred to as target data packets herein.

Step 43, sending the data packet and the integrity check information to the second device.

Here, after generating the integrity check information, the first device may transmit the integrity check information together with the data packet to the second device. Specifically, the integrity check information may be generally attached to a trailer of the target data packet, and when one integrity check information is generated for a plurality of target data packets, the integrity check information may be attached to a trailer of a last data packet in the plurality of target data packets.

Fig. 5 shows an example of integrity protection for n target packets of m packets, for example, integrity protection for packet Message _2 in the first packet, and an integrity check Message MAC-I _1 is generated and attached to the tail of packet Message _ 2.

Through the steps, the embodiment of the invention carries out grouping on the data packets to be sent and then carries out data integrity protection on the grouping, so that even under the condition that the full-rate data packets cannot be completely processed, the embodiment of the invention can regard a plurality of data packets as a whole to provide partial integrity protection, thereby carrying out probabilistic integrity protection on the user data packets under the condition of meeting the performance requirement and improving the efficiency of data integrity protection.

In the above step 42, when performing integrity protection on the packet, the embodiment of the present invention may perform protection on the target data packet in the packet, and specifically, performing integrity protection on the target data packet in the packet according to the packet may include:

A) and selecting n data packets from the group as target data packets, and determining the data packets covered by the integrity protection of each target data packet, wherein the union of the data packets covered by the integrity protection of all the target data packets is all the data packets in the group.

Here, the n data packets are selected from the group as the target data packet, specifically, the n data packets are randomly selected from the group as the target data packet according to a random selection manner, or the n data packets at preset positions are selected from the group as the target data packet according to a fixed position selection manner, for example, the data packet at odd number or even number bits within the group is selected, or the data packet at a specific position is selected from each segment as the target data packet, and the definition of the segment may refer to the following description. The way of selecting the target data packet in different packets may be the same, i.e. all according to the same rule. In order to improve the security of integrity protection, the target data packets in the embodiment of the present invention may be selected independently, that is, each packet independently selects its own target data packet, and the respective selection manners may be the same or different.

In the embodiment of the present invention, the data packet covered by each target data packet integrity protection refers to a data packet targeted by the target data packet for integrity protection, and may generally include the target data packet itself (as an implementation manner, the target data packet itself may not be included), and may also include other data packets in the packet. The determining method of the data packet covered by the integrity protection of each target data packet may include any one of the following determining methods:

1) an average determination mode: dividing the data packets in the packet into n segments according to a preset data packet interval L; and according to the corresponding relation between the segments and the target data packets, taking all the data packets in each segment as the data packets covered by the integrity protection of the corresponding target data packets, wherein L is an integer value for rounding m/n downwards.

For example, the packet includes 12 data packets, and each 3 data packets can belong to the same segment, so that the data packets are divided into 4 segments, that is, the data packets 1 to 3 in the packet are the first segment, the data packets 4 to 6 are the second segment, the data packets 7 to 9 are the third segment, and the data packets 10 to 12 are the fourth segment.

These four segments correspond one-to-one to the 4 destination packets in the packet:

as an implementation manner, assuming that 4 destination packets are respectively the first packet in each segment, the packets covered by the packet 1 in the first segment (i.e. the first destination packet in the segment) are all the packets in the first segment, the packets covered by the packet 4 in the second segment (i.e. the first destination packet in the segment) are all the packets in the second segment, the packets covered by the packet 7 in the third segment (i.e. the first destination packet in the segment) are all the packets in the third segment, and the packets covered by the packet 10 in the fourth segment (i.e. the first destination packet in the segment) are all the packets in the fourth segment.

As another implementation manner, it is assumed that 4 target data packets are data packets 1 to 4 in the packet, respectively, a data packet covered by the data packet 1 is all data packets in a first segment, a data packet covered by the data packet 2 is all data packets in a second segment, a data packet covered by the data packet 3 is all data packets in a third segment, and a data packet covered by the data packet 4 is all data packets in a fourth segment.

In addition, when the data packet in the packet is divided into n segments according to a preset data packet interval L, if m cannot be divided by n, the remaining data packets are included in the existing segments, and a specific inclusion manner may be to include all the remaining data packets in the last segment or the first segment.

In the embodiment of the invention, the equipartition determining mode selects to implement the integrity protection operation in an equipartition mode, for example, the integrity check information MAC-I _1 is generated based on the packet sequence number (COUNT) of MESSAGE _1, MESSAGE _2, …, and MESSAGE _ m/n; the integrity check information MAC-I _2 is generated based on packet sequence number (COUNT) of MESSAGE _ m/n +1, … …, MESSAGE _2m/n, and so on. For the case that m/n cannot be divided exactly, the redundant packet ID may be included in the integrity protection operation of the last packet, or may be equally distributed from the back to the front to the integrity protection operations of several packets.

2) The total quantity determination mode is as follows: and taking all data packets in the group where the target data packet is positioned as the data packets covered by the integrity protection of the target data packet.

When the full-quantity determination mode is adopted, the data packets covered by each target data packet are all the data packets in the packet. If the integrity check information MAC-I _1 is generated based on all COUNTs of MESSAGE _1 to MESSAGE _ m, MAC-I _2 to MAC-I _ n are also processed.

3) A random determination mode: and randomly selecting at least one data packet from the group as the data packet covered by the target data packet integrity protection.

For example, MAC-I _1 is generated based on COUNT of MESSAGE _1, MESSAGE _3, etc., MAC-I _2 is generated based on COUNT of MESSAGE _4, etc., and MAC-I _ n is generated based on COUNT of MESSAGE _2, etc. The union of the data packets covered by all the target data packets is: all data packets in the group. In addition, when the random determination mode is adopted, the sequence number of the randomly selected data packet can be cascaded with the target data packet to obtain the updated target data packet. Thus, the destination packet contains the sequence numbers of all packets it covers. For example, when a packet covered by the packet MESSAGE is selected in a random determination manner, the packet MESSAGE is updated, and a sequence number (COUNT) value list of the covered packet is added after the original packet MESSAGE. Suppose that the MAC-I of the packet MESSAGE needs to cover t packets, and these t packets are respectively denoted as MESSAGE [1], MESSAGE [2], … …, MESSAGE [ t ]. Then:

MESSAGE’＝MESSAGE||COUNT[1]||COUNT[2]||……||COUNT[t]

wherein, COUNT [ i ] represents the sequence number of the ith data packet, and | | represents concatenation.

In the embodiment of the present invention, the distribution of the target data packets for performing the integrity protection operation may be random or fixed. To ensure that an attacker cannot know which packet contains the MAC-I information required for integrity protection, the packets in each group of packets to perform the operation may be randomly selected, and the selection of packets from group to group may be independent.

B) And aiming at the target data packet, generating a first sequence number according to the sequence number of the data packet covered by the integrity protection of the target data packet.

As an implementation manner, the first sequence number is obtained by performing xor calculation on sequence numbers of the data packets covered by the integrity protection of the target data packet. For example, suppose that the MAC-I of a specific packet needs to cover t packets, these t packets are respectively denoted as MESSAGE [1], MESSAGE [2], … …, MESSAGE [ t ]. Then, the first sequence number COUNT may be calculated as follows:

COUNT＝COUNT[1]XOR COUNT[2]XOR……XOR COUNT[t]。

where XOR represents exclusive or.

As another implementation, the first sequence number may also be obtained by concatenating sequence numbers of the data packets covered by the integrity protection of the target data packet.

C) And generating integrity check information corresponding to the target data packet by using a preset parameter and an integrity key, and attaching the integrity check information to the end of the target data packet, wherein the preset parameter at least comprises the first sequence number.

Here, when generating the integrity check information MAC-I information corresponding to the target packet, the existing MAC-I generation process may be adopted, for example, the parameters related to the packet may include the uplink and downlink DIRECTION direct of the packet, a sequence number (COUNT, which may also be referred to as a calculator), a BEARER identifier BEARER, and a corresponding integrity KEY for calculation. However, the MESSAGE and the COUNT need to be changed, and since the MAC-I may contain sequence number information of multiple MESSAGEs at this time, the sequence number of the packet is replaced with the first sequence number for calculation; and the mode for determining the data packet covered by the integrity protection of each target data packet is the random determination mode, and when the MAC-I information is generated, the data packet is replaced by the MESSAGE'.

Specifically, a preset parameter including the first sequence number may be input into an integrity check algorithm, so as to generate integrity check information corresponding to the target data packet. The embodiment of the invention can attach the generated integrity check information to the end of the target data packet, namely the tail-end position.

In this embodiment of the present invention, the first device may further determine values of m and n by negotiating with the second device, and determine a manner of protecting the data packet covered by the integrity protection of each target data packet. Fig. 6 shows an example of parameter negotiation at the receiving end and the transmitting end. The transmitting end in fig. 6 may be a first device, and the receiving end may be a second device. Between the receiving end and the transmitting end, it is necessary to negotiate related parameters in advance, so that the receiving end and the transmitting end can share information such as m, n, and implement operation rules (i.e., the mode of protecting the data packet covered by the integrity of the target data packet, which is expressed by OP). The operation rule may be encoded in advance, and the encoding is used instead of the encoding during transmission, for example, the equipartition determining method is encoded as OP1, the full-size determining method is encoded as OP2, and the random determining method is encoded as OP 3. The negotiation between the receiving end and the transmitting end can be transferred through Radio Resource Control (RRC) signaling. The sending end sends the expected value ranges of m, n and OP in the message 1, the receiving end selects one value of each parameter from the value ranges, and then the value is returned to the receiving end in the message 2, thereby completing the parameter negotiation process. The RRC signaling channel has the encryption and integrity protection capabilities, so that the negotiation and the transmission of parameters can be safely realized between the receiving end and the transmitting end.

As can be seen from the above description, in the embodiment of the present invention, a plurality of (assumed to be m) data packets are grouped into one packet at a sending end, where a selected part (assumed to be n, n is less than or equal to m) data (target data packet) packets are subjected to integrity protection operation. When the operation is carried out on the partial data packet, the information of other data packets in the group is included, and the data integrity protection is carried out on the packet, so that the efficiency of the integrity protection can be improved.

The method of the embodiment of the present invention is explained above from the transmitting end. The following further explains from the receiving side.

Referring to fig. 7, the method for protecting integrity of a data packet according to an embodiment of the present invention, when applied to a second device, includes:

step 71, the second device receives the data packet and integrity check information of the data packet sent by the first device.

And 72, grouping the received data packets, wherein a target data packet in each group has corresponding integrity check information, and the number n of the target data packets is less than or equal to the total number m of the data packets in the group.

Here, the second device may group the received data packets by a packet size m. The values of the packet sizes m and n may be obtained in advance through negotiation with the first device

And 73, carrying out integrity check on the target data packet in the group to obtain an integrity check result of each group.

Here, the destination packet may be n packets randomly selected from the group, or n packets at a predetermined position in the group. In addition, the manner of selecting the target packet in each packet may be independent of each other.

In a case where a sending end (first device) randomly selects a target data packet for an integrity protection operation, the second device may determine which data packets in a packet are the target data packet for which the integrity protection operation is performed according to the following manners: because the first device attaches the integrity check information to the trailer of the corresponding target data packet, the second device can determine the target data packet in the packet according to whether the trailer has the integrity check information. And under the condition that the sending end (first device) selects the data packet at the preset position in the packet to perform integrity protection operation, the second device can determine the target data packet according to the preset position.

When integrity checking is performed on the target data packet in the packet, the following steps s1 to s4 may be specifically included:

step s 1: the second device may determine target packets in the packet and determine packets covered by each target packet integrity protection, where a union of all the packets covered by all the target packet integrity protection is all the packets in the packet.

Here, the second device may negotiate and interact with the first device in advance, determine values of m and n, and determine a manner of protecting the integrity of each target data packet. In this way, the second device may determine which of the following ways to determine the data packet covered by the target data packet integrity protection specifically includes:

A) an average determination mode: dividing the data packets in the packet into n segments according to a preset data packet interval L; and determining all data packets in each segment as data packets covered by the integrity protection of the corresponding target data packet according to the corresponding relation between the segments and the target data packet, wherein L is an integer value for rounding down m/n. When the data packet in the packet is divided into n segments according to a preset data packet interval L, if m cannot be divided by n, the rest data packets are contained in the existing segments.

B) The total quantity determination mode is as follows: and determining all data packets in the group in which the target data packet is positioned as the data packets covered by the integrity protection of the target data packet.

C) A random determination mode: and acquiring a serial number of a data packet cascaded with the target data packet, and determining the data packet covered by the integrity protection of the target data packet according to the acquired serial number.

Step s 2: and aiming at the target data packet, generating a first sequence number according to the sequence number of the data packet covered by the integrity protection of the target data packet. For example, the first sequence number may be obtained by performing an exclusive or calculation on sequence numbers of the respective data packets covered by the integrity protection of the target data packet.

Step s 3: and generating information to be checked corresponding to the target data packet by using preset parameters and an integrity key, wherein the preset parameters at least comprise the first sequence number.

Step s 4: and comparing the information to be verified corresponding to the target data packet with the integrity verification information corresponding to the target data packet to obtain an integrity verification result of the target data packet, for example, whether the target data packet passes the integrity verification or not, wherein the integrity verification information corresponding to the target data packet is attached to the end of the target data packet.

After the integrity check result of the target data packet is obtained, the embodiment of the invention can also generate the integrity check result of the packet and perform the final check result of the data packet in the packet.

As an implementation manner, the embodiment of the present invention may obtain a final verification result that the integrity check of the packet passes when the integrity check results of all target data packets in the packet pass, or determine a final verification result that the integrity check of the packet fails. In this way, it is determined that the integrity check of the packet passes only if the checks of all the target data packets in the packet pass. That is, the checking method only has the final checking result that all data packet checks in the packet pass or fail. Fig. 8 shows an example of the checking manner, in this example, in the packets Message _ m +1 to Message _2m, the integrity check information MAC-I _2n of the packet Message _2m does not match with the information to be checked XMAC-I _2n of the packet generated by the second device, so that the whole of the packets Message _ m +1 to Message _2m fails to pass the integrity check.

For another example, as another implementation manner, in the embodiment of the present invention, when the integrity check result of each target data packet passes, the final check result that the integrity check of all data packets covered by the integrity protection of the target data packet passes is obtained, otherwise, the final check result that the integrity check of all data packets covered by the integrity protection of the target data packet fails is obtained. In this implementation, the check result is only responsible for the data packet covered by the integrity protection of the target data packet. That is, there may be a case where a partial packet in the packet passes the check and a partial packet fails the check. The checking method is generally applicable to a scenario in which there is no overlap of data packets covered by different target data packets in a packet.

In addition, for the mode of determining the data packet covered by each target data packet integrity protection as the random determination mode, when the final verification result of the integrity verification of the corresponding packet passes, the embodiment of the present invention further strips and removes the sequence number (COUNT) value list of the covered data packet from the target data packet, and restores the data packet to the form of the original data packet, that is, restores the data packet MESSAGE' to MESSAGE.

Consider that an attacker needs to continuously or randomly select packets to attack when attempting to tamper with the packets. However, an attacker does not want to be discovered during an attack, and for a continuous attack, the integrity-protected data packet is usually tampered, so that the attack is discovered, and thus, an attack behavior can be discovered. In the case of randomly selecting a data packet for attack, the probability that an attacker selects the data packet subjected to integrity protection is about p ═ n/m, which will cause the attack to be discovered, so the embodiment of the present invention can prevent the attacker to a certain extent.

Through the steps, the embodiment of the invention can check the data packet which is sent by the first equipment and contains the integrity information.

Various methods of embodiments of the present invention have been described above. An apparatus for carrying out the above method is further provided below.

Referring to fig. 9, an embodiment of the present invention provides a first device, including:

a grouping module 91, configured to group data packets to be transmitted to obtain at least one group;

a protection module 92, configured to perform integrity protection on a target data packet in a packet according to the packet, and generate integrity check information, where the number n of the target data packet is less than or equal to the total number m of data packets in the packet;

a sending module 93, configured to send the data packet and the integrity check information to a second device.

Through the modules, the first device of the embodiment of the invention can improve the efficiency of data integrity protection, and can discover the behavior of an attacker tampering the data packet to a certain extent, thereby improving the security of data transmission.

Optionally, the protection module 92 is further configured to:

alternatively, the first and second electrodes may be,

Optionally, the modes of selecting the target data packet from each group are independent of each other.

Optionally, the protection module 92 is further configured to: determining the mode of the data packet covered by the integrity protection of each target data packet according to any one of the following determination modes:

Optionally, the grouping module is further configured to, when a data packet in the group is divided into n segments according to a preset data packet interval L, if m cannot be divided by n, accommodate the remaining data packets into the existing segments.

Optionally, the protection module 92 is further configured to, when at least one data packet is randomly selected from the group and used as a data packet covered by the integrity protection of the target data packet, cascade a sequence number of the randomly selected data packet with the target data packet to obtain the updated target data packet.

Optionally, the first device further includes:

and the negotiation module is used for negotiating with the second equipment, determining the values of m and n and determining the mode of the data packet covered by the integrity protection of each target data packet.

Optionally, the first sequence number is obtained by performing xor calculation on the sequence numbers of the data packets covered by the integrity protection of the target data packet.

It should be noted that the apparatus in this embodiment is an apparatus corresponding to the method shown in fig. 4, and the implementation manners in the above embodiments are all applicable to the embodiment of the apparatus, and the same technical effects can be achieved. The apparatus provided in the embodiment of the present invention can implement all the method steps implemented by the method embodiment, and can achieve the same technical effects, and detailed descriptions of the same parts and beneficial effects as the method embodiment in this embodiment are not repeated here.

Referring to fig. 10, a schematic structural diagram of a first apparatus 1000 according to an embodiment of the present invention includes: a processor 1001, a transceiver 1002, a memory 1003, a user interface 1004, and a bus interface.

In an embodiment of the present invention, the first device 1000 further includes: programs stored on the memory 1003 and executable on the processor 1001.

The processor 1001, when executing the program, implements the following steps: '

Optionally, the processor further implements the following steps when executing the program:

grouping data packets to be transmitted to obtain at least one group;

It can be understood that, in the embodiment of the present invention, when the computer program is executed by the processor 1001, each process of the method embodiment for protecting integrity of a data packet shown in fig. 4 can be implemented, and the same technical effect can be achieved.

In fig. 10, the bus architecture may include any number of interconnected buses and bridges, with one or more processors represented by processor 1001 and various circuits of memory represented by memory 1003 being linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface. The transceiver 1002 may be a number of elements including a transmitter and a receiver that provide a means for communicating with various other apparatus over a transmission medium. The user interface 1004 may also be an interface capable of interfacing with a desired device for different user devices, including but not limited to a keypad, display, speaker, microphone, joystick, etc.

The processor 1001 is responsible for managing a bus architecture and general processes, and the memory 1003 may store data used by the processor 1001 in performing operations.

It should be noted that the terminal in this embodiment is a device corresponding to the method shown in fig. 4, and the implementation manners in the above embodiments are all applied to the embodiment of the device, and the same technical effects can be achieved. In the apparatus, the transceiver 1002 and the memory 1003, and the transceiver 1002 and the processor 1001 may be communicatively connected through a bus interface, and the function of the processor 1001 may also be implemented by the transceiver 1002, and the function of the transceiver 1002 may also be implemented by the processor 1001. It should be noted that, the apparatus provided in the embodiment of the present invention can implement all the method steps implemented by the method embodiment and achieve the same technical effect, and detailed descriptions of the same parts and beneficial effects as the method embodiment in this embodiment are omitted here.

In some embodiments of the invention, there is also provided a computer readable storage medium having a program stored thereon, which when executed by a processor, performs the steps of:

grouping data packets to be transmitted to obtain at least one group;

When executed by the processor, the program can implement all the implementation manners of the method for protecting the integrity of the data packet applied to the first device, and can achieve the same technical effect, and is not described herein again to avoid repetition.

An embodiment of the present invention provides a second device 110 shown in fig. 11, including:

a receiving module 111, configured to receive a data packet sent by a first device and integrity check information of the data packet;

a grouping module 112, configured to group the received data packets, where a target data packet in each group has corresponding integrity check information, and the number n of the target data packets is less than or equal to the total number m of data packets in the group;

the checking module 113 is configured to perform integrity checking on the target data packet in the packet, and obtain an integrity checking result of each packet.

Optionally, the verification module 113 is further configured to:

alternatively, the first and second electrodes may be,

Optionally, the target data packet is:

n data packets randomly selected from the group;

alternatively, the first and second electrodes may be,

n data packets at predetermined positions in the packet.

Optionally, the modes of selecting the target data packet in each group are independent of each other.

Optionally, the checking module 113 is further configured to determine a data packet covered by the integrity protection of the target data packet according to any one of the following determination manners:

the total quantity determination mode is as follows: determining all data packets in the group where the target data packet is located as data packets covered by the integrity protection of the target data packet;

Optionally, the second device further includes:

and the negotiation module is used for negotiating with the first equipment, determining the values of m and n and determining the mode of the data packet covered by the integrity protection of each target data packet.

The apparatus in this embodiment is an apparatus corresponding to the method shown in fig. 7, and the implementation manners in the above embodiments are all applied to the embodiment of the apparatus, and the same technical effects can be achieved. It should be noted that, the apparatus provided in the embodiment of the present invention can implement all the method steps implemented by the method embodiment and achieve the same technical effect, and detailed descriptions of the same parts and beneficial effects as the method embodiment in this embodiment are omitted here.

Referring to fig. 12, an embodiment of the invention provides a structural schematic diagram of a second apparatus 1200, including: a processor 1201, a transceiver 1202, a memory 1203 and a bus interface, wherein:

in this embodiment of the present invention, the second device 1200 further includes: a program stored on the memory 1203 and executable on the processor 1201, which when executed by the processor 1201, performs the steps of:

receiving a data packet sent by first equipment and integrity check information of the data packet;

and carrying out integrity check on the target data packets in the groups to obtain the integrity check result of each group.

It can be understood that, in the embodiment of the present invention, when being executed by the processor 1201, the computer program can implement each process of the method embodiment for protecting integrity of a data packet shown in fig. 7, and can achieve the same technical effect, and in order to avoid repetition, details are not described here again.

In fig. 12, the bus architecture may include any number of interconnected buses and bridges, with various circuits linking one or more processors, represented by the processor 1201, and memory, represented by the memory 1203. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface. The transceiver 1202 may be a number of elements including a transmitter and a receiver that provide a means for communicating with various other apparatus over a transmission medium.

The processor 1201 is responsible for managing a bus architecture and general processing, and the memory 1203 may store data used by the processor 1201 in performing operations.

It should be noted that the terminal in this embodiment is a device corresponding to the method shown in fig. 7, and the implementation manners in the above embodiments are all applied to the embodiment of the device, and the same technical effects can be achieved. In the device, the transceiver 1202 and the memory 1203, and the transceiver 1202 and the processor 1201 may be communicatively connected by a bus interface, the functions of the processor 1201 may also be implemented by the transceiver 1202, and the functions of the transceiver 1202 may also be implemented by the processor 1201. It should be noted that, the apparatus provided in the embodiment of the present invention can implement all the method steps implemented by the method embodiment and achieve the same technical effect, and detailed descriptions of the same parts and beneficial effects as the method embodiment in this embodiment are omitted here.

When being executed by the processor, the program can realize all the implementation manners in the method for protecting the integrity of the data packet applied to the second device, and can achieve the same technical effect, and the details are not repeated here to avoid repetition.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one type of logical functional division, and other divisions may be realized in practice, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment of the present invention.

In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk or an optical disk, and various media capable of storing program codes.

The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims

1. A method for packet integrity protection, comprising:

2. The method of claim 1, wherein said integrity protecting a target data packet in a packet according to said packet comprises:

3. The method of claim 2, wherein said selecting n packets from said packet as destination packets comprises:

alternatively, the first and second electrodes may be,

4. The method of claim 3, wherein the target packets are selected from the respective packets independently of one another.

5. The method of claim 2, wherein determining the manner in which each target packet integrity protection covers the packet comprises determining any of:

6. The method of claim 5, wherein when the packets in the packet are divided into n segments according to a preset packet interval L, if m cannot be divided by n, the remaining packets are accommodated in the existing segments.

7. The method of claim 5, wherein in randomly selecting at least one data packet from within the packet as the data packet covered by the target packet integrity protection, further comprising:

8. The method of claim 5, further comprising:

9. The method of claim 2,

and the first sequence number is obtained by carrying out XOR calculation on the sequence numbers of the data packets covered by the target data packet integrity protection.

10. A method for packet integrity protection, comprising:

the second equipment receives the data packet sent by the first equipment and integrity check information of the data packet;

11. The method of claim 10, wherein said integrity checking the destination packet in the packet comprises:

12. The method of claim 11, wherein the obtaining the integrity check result for each packet comprises:

alternatively, the first and second electrodes may be,

13. The method of claim 11, wherein the destination packet is:

n data packets randomly selected from the group;

alternatively, the first and second electrodes may be,

n data packets at predetermined positions in the packet.

14. The method of claim 13, wherein the target packet is selected in each packet independently of the other packets.

15. The method of claim 11, wherein the determining the data packet covered by the target data packet integrity protection comprises any one of the following:

the total quantity determination mode: determining all data packets in the group where the target data packet is located as data packets covered by the integrity protection of the target data packet;

16. The method of claim 15, wherein when the packets in the packet are divided into n segments according to a preset packet interval L, if m cannot be divided by n, the remaining packets are accommodated in the existing segments.

17. The method of claim 15, further comprising:

18. The method of claim 11,

19. A first device, comprising:

20. A first device comprising a transceiver and a processor, wherein,

21. A first device, comprising: processor, memory and program stored on the memory and executable on the processor, which when executed by the processor implements the steps of the method according to any one of claims 1 to 9.

22. A second apparatus, comprising:

23. A second device comprising a transceiver and a processor, wherein,

the transceiver is used for receiving a data packet sent by the first device and integrity check information of the data packet;

24. A second apparatus, comprising: processor, memory and program stored on the memory and executable on the processor, which when executed by the processor implements the steps of the method according to any one of claims 10 to 18.

25. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 18.